Environment
- EDR Server: 7.5.2 and lower
Question
- How can we check attempts to use the Log4J exploit on our EDR servers?
Answer
- Our Product Security Team mentions that SOLR is not publicly exposed by default and that input is escaped before making it to SOLR. In the interest of our customer base we decided to patch and remediate as soon as we could to avoid taking any chances.
- Below is an example in the /var/log/cb/nginx/access.log log file of an attempt to exploit:
- Checking for this can be done on the EDR Server terminal via:
grep -rni /var/log/cb/nginx/ -e 'jndi'
Additional Notes
- Please make note, this command is an attempt and not an indicator of compromise. The attempt is blocked by Nginx and is not allowed to go further into the system
- Please make sure you have the mitigations in place to protect your system. EDR: How to add the Log4j Mitigation
Related Content